Skip to content

SafetyNet Attestation

The SafetyNet Attestation API provided by Google allows app developers to assess the Android device their app is running on. The API should be used as a part of your misuse detection system to help determine whether your servers are interacting with your genuine app running on a genuine Android device.

The mobile services have integrated with SafetyNet Attestation API to assess the device's integrity. In order to create the attestation, the API examines the device's software and hardware environment, looking for integrity issues, and comparing it with the reference data for approved Android devices. The generated attestation token is bound to the nonce that the mobile services provide, and contains a generation timestamp and lifetime about the requesting app.

After Android attestation is enabled and correctly configured in the mobile services cockpit, the developer can add the AttestationService instance to the SDKInitializer.start method. It will then handle the entire attestation process, including sending attestation request and adding attestation token in the OKHttp request header. AttestationService takes one optional argument in the constructor to set the duration between two attestation requests. If the duration is larger than attestation token lifetime or is not set, then will run attestation when the attestation token is missing or its lifetime expires.

val services = mutableListOf<MobileService>()
services.add(AttestationService(Duration.ofDays(1)))
SDKInitializer.start(this, * services.toTypedArray())

The mobile services cockpit provides chart to show attestation status of OKHttp requests. The developer can look into the chart to check whether the app and device are treated as genuine by the mobile services. If the Android attestation is configured in Enforced mode, failing to get attestation token will cause OKHttp requests to back-end connections rejected.

Google sets that the default quota allotment (per project) for calling the SafetyNet Attestation API is 10,000 requests per day across all app users. If the attestation requests exceed the quota, the mobile services cockpit will show the warning message. The developer needs to reduce the frequency of attestation request, or applies for more quota from Google.


Last update: September 29, 2022